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ABSTRACT 


This thesis PReEoe ms an implementation of 
multiprogramming and process management functions for the 
metermivy kernel of a distributed rultiprocessor syStem. The 
implementation is tased on a family of opérating systems 
designed to provide controlled access in a microcomputer 
network to data bases containing multiple evee es Chae 
sensitive information. 

Multiprogramming improves system efficiency and creates 
a virtual environment which frees the remainder ofr the 
operating System from a dependence on Orecess OF 
Bont iguration. Frocessor management coo recinetes the 
asynchronous interaction of SyStem processes. 

This implementation describes 4 processor multiplexing 
technique for a distributed kernel and presents a virtual 
MieerTrunt mechanism. Its Structure is loop free to permit 
future expansion into more complex members of the design 


family. 
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eNO DUCTION 


The application Onn Contemporary microprocessor 
technology to the design of large-scale multiple processor 
Systems offerS many potential benefits. The COS% of 
high-power computer systems could be reduced drastically; 
fault tolerance in critical real-time syStemsS could be 
mupeoved; and computer services could be applied in areas 
where their use is not now cost effective. Vesigning such 
Systems presents many formidable proolems that have rot been 
SOlved by the Specialized single processor systems available 
today. 

Specifically, there is an increasing demand for computer 
meapems that provide protected Storage and controlled access 
for sensitive information to be shared among a wide range of 
Meers. Data controlled by the Privacy Act, classified 
Department of Tefence (DoD) information, and the 
Mearmsactions of financial institutions are but a few of the 
areas which require protection for multiple levels of 
sensitive information. Multiple processor systems which 
Share data are well suited to providing such services - if 
Meenmadte security problem can be solved. 

A solution to these problems - a multiprocessor system 


design with verifiable information security - is offered in 


ne 





a family of Seelteeweohstributed multi—~mlcroprocessor 
Operating SyStems designed by O°’Connell and Richardson [1]. 
A subdset of this family, the Secure Archival Storage System 
(SASS) [2,3], has been Selected as a testbed for the general 
design. SASS will provide consolidated file storage for a 
network of possibly disSimilar “host computers. The system 
Will provide controlled, shared access to multiple levels of 
sensitive information (figure 1). 

This thesis presents an implementation of a basic 
monitor for the O°Connell-Richardson family of cperating 
systems. The monitor provides multiprogramming and process 
management functions specifically addressed to the control 
of miveical processor resources of SASS. Concurrent thesis 
work [4] is developing a detailed design for a Security 
kernel process, the Memory Manager, which will manage SASS 


memory resources. 


ie 
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A. EACKGROUND 


The general family design is composed of a supervisor 
moma Security kernel. The Supervisor provides dynamic 
linking, a discretionary security policy, demand memory 
management, and a hierarchical file system in Support of the 
user. The security kernel manages physical resources to 
provide scnedulineg, interprocess communication and 
MemerroniZation, and a2 non-disScretionary Security policy. 
The ecesign is loop-free to permit the implementation of 
System subsets ranegine from a Simple monitor to a eeneral 
meepose computer utility. 

SASS is a subset of this system and does not require use 
of several higher levels of the general system desien. 
Dynamic linking, demand segmentation, transient preccesses, 
and a user domain are not Recea cat y s10 nee? tS intended 
Operation, and are excluded. The software of SASS is 
Mert loned into two domains. The security kernel, which is 
the most privileged domain, manages system physical 
resources in a manner designed to prevent unauthorized 
Meeormation flow, regardless of action taken by other 
elements in the system. Tne less privileged domain, tne 
Stervisor [2], provides each host with a hierarchical file 
system in which it may store and retrieve files and snare 
them with other hosts. The hosts send commands and transfer 


Peles via bidirectional digital links. SASS was designed for 





implementation of Cumrent ly available MkerOproOcesSor 
hardware. Multiprogramminge is used _ to improve system 
efficiency and to create a virtual environment which frees 
Mmewremainder of the operating system from a dependence on 
the physical processor configuration. Frocessor management 
meoviaes dad means of coordinating the interaction of the 
asynchronous processes whicn comprise the system. This 
mmoeementation employs a processor multinlexing tecnnique 
for a distributed kernel and presents @ virtual interrupt 
meenanism. The modular, hierarchical structure of the 
software is loop-free to support system expénsion to higher 
level functions. 

Although the primary 2g0al of the design is Security, the 
@eean, logical, process-oriented structure of SASS offers 
Other benefits aS well, including fault tolerance, resource 


configuration independence, and efficiency. 


fee COMPUTER SECURITY 


The need for providing protection for information within 
a computer syStem iS well documented. Development of the 
security kernel technology [5,6], has transformed the 
Operating system deSigner’sS approach from a eame of wits 
with penéetrators into a methodical design process. 

In general, security is provided by providing protection 


memmeinrormation in accordance with a specific protection 


eo 





Bermicy. In the case of computer Secun) ty Lois is 
accomplished by controlling the access of people to 
maeormation. Although this protection can be provided by 
external controls (¢.g., confining the computer system and 
all its users within a physical security perimeter), this 
method is inefficient and prone to human error. Furthermore, 
a distrituted computer network will probably be dispersed 
over too wide an area to be physically confined. Supported 
Petre s€curity kernel 4approach, an internal protection 
mechanism controlled by the computer operating system is a 
measible solution. 
1. Reference Monitor 

The concept of protection is realized withir the 
computer system by the implementation of a mathematical 
model of information security. This model is baSed on an 
abstract representation of security called the Reference 
Monitor [7]. The Reference Monitor describes 4 mechanism for 
Memorolling the access of subjects to objects, based on a 


set of access authorizations (figure 2). 
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Every time a subject attempts to access an otject, 
meemeecrerence Monitor checks to determine if the sutject has 
authorization to perform the desired operation (e.2g., write, 
read) on the object. If the policy does not authorize the 
access, the Reference Monitor will prevent the subject from 
performing the requested operéetion. This mechanism is 
realized within the operating system as the security kernel. 
Several system features are required in order for the 
mechanism to function correctly. 

First, every reference to information (i.e., every 
access to primary memory by the processor) must g0 through 
the security kernel. 

Second, the implementation of the security kernel must 
be an exact representation of the matnematical model of 
moarormation security. 

mira, the security kernel must be tamper-proof. 

Peeoecuritv Policy 

Miemmseccunity  powrey to te Enfrorced Dy the computer 
System consists of external laws, rules, regulations, etc., 
Woten establish permissable information access independent 
of the computer system. Therefore, a computer system will te 
Meeure Only with respect to a Specific security policy. The 
security kernel concept supports a broad range cf security 
policies tnat can be divided into two classes, 


Memecrscretionary and discretionary security. 


ee 





weiter ocre tblomary Policy 

Non-Giscretionary security policy uses labels to 
insure only permissabdle access of subjects to otjects is 
provided. Object labels reflect obdject Sensitivity and 
subject labels reflect subject authorization. (For example, 
MeeroMal Security Policy labels include Uo has sien ved, 
Secret, etc.). A non-discretionary security policy prevides 
compromise protection (from unauthorized reading), integrity 
protection (from unauthorized modification), and must 
prevent information leaks resulting from indirect access to 
Memertnorized information as well. A non-discretionary 
security policy requires that all subjects and objects have 
mempels. Most contemporéry computer svstems do not provide 
this explicit labeling and therefore implicitly make all 
access permissable. 

bee rseretionary Folicy 

Psere momany security policy provides a finer 
division of access by allowing individual subjects to decide 
which aad the permissable accesses, determined by 
non-discretionary policy, will actually be allowed (e.g., 
DoD’s ‘need to know ). Many contemporary computer systems 
Moport discretionary security policy with access control 
lists, file passwords, Gawat] ] ity lists and other 


mechanisms. 
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eee ecu ty Kennel Pecan 


fy careful interpretation of the mathematical madel 
of the Reference Monitor, the Security kernel iS designed to 
Meme subset of operating system functions. Kernel primitives 
form an interface between this subset and the remainder of 
the system. If these primitives are implemented correctly, 
their use guarantees that information will be protected in 
compliance with system security policy, regardless of anv 
action taxen bv other portions of tne operating system or by 
the user. A more detailed discussion of the security model 


memprovided in [4,5,6]. 


Meer’ OF THESIS 


In this chapter a subdset of tne general operating 
System design, the Secure Archival Storage System (SASS), 
Was described. The concept of information security was 
examined and the security kernel was ovresented as a 
Meemnicaily sound approech to the problem of providing 
internal computer security. 

Chapter Two will discuss the design eoals of this 
Operating system. Functional design requirements will  o0be 
developed and the issues of phySical resource managerent and 
memeormance will be traced to specific attributes desired in 
System hardware. The rationale behind the ultimate selection 


of Zilog’s Z8¢@¢ Microprocessor and ZE€1€ memory management 


IS, 





unit (MMU) for use in the SASS testbed implementation of 
this operating system will be discussed. 

Chapter Three will descrite the high level design of 
SASS with an emphasis on the security kernel design. A view 
of the user (computer host) environment as a collection of 
cooperating processes will be presented, and tne 
fmeememonical Structure of the distributed kernel rodules 
will be examined in detail. 

Chapter Four will present an implementation of the SASS 
security kernel modules tnat provide multinrogramming and 
processor management. The construction of the virtual 
machine e@nvironment will be described and the advantéges of 
a two-level scneduling mechanism will be explained. 

mmeriy an @valuation of this impleméntation will be 
presented with recommendations for improving the design and 


Suggestions for follow on work. 





tr eweeNc oor ito DESTEN CONCEPTS 





The kernel primitives providing multiproeramming and 
Mmeecess mMdndgement form one of the smallest and most basic 
subsets in the family of operating systems cdesigned by 
O’Connell and Richardson [4]. As developed here they were 
implemented specifically to support SASS. In geéneral the 
Same Kernel primitives will Support all members of this 
design family. 

Fefore discussing the high level design of the SASS 
Meeyrity kernel and presenting an implementation of these 
primitives, it is useful to investigate tne general design 
methodology applied to the development of this operating 
mmeemem. in this chapter the design goals of SASS will be 
analyzed and traced to functional requirements and hardware 
Mmemrontes considered necessary or desirable in support of 
the systems design goals. It is fTrecognized that the 
Beerating system user Will protably not address these issues 
directly when specifying system desiegr goals. The material 
Meesented here concerns the approach of the system designer 
memime definition of requirements implicitly related to user 


design foals. 
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fee DBSIGCN PFILOSOPHY 

mee issues confront the operating system designer. 
eo, Oe must provide system functions which support the 
services requested by tne user. These Pune tend) 
GBeaurrements affect the logicél design of the system. 


second, he must address issues of cost and performance. Cost 


and other management considerations will not tbe addressed 


here. Ferformance issues concern the management of physical 


meources and ultimately cé&n be reduced to hardware 


requirements. 


There iS a considerable amount of literature devoted to 


mmemeecevelopment of the functional design of operating 


systems. Diikstra [8] nas described a technique for reducing 


the complexity of the deSigen by G&llocatine operating System 


activities to a number of cooperating processes. Frocess 


Sere iS Simplified in turn by defining its functions in 


levels of increasing abstraction and by anvvlying the 
M@ernciples of structured programmine. 
Madnick and Donovan [9] have described an operatine 


System as a hierarchical extended machine. Program modules 


are added to the system hardware to provice many extenced 


meotructions Miao won boo tne Nardware instructions 


meorrable on the tare machine. In complex systems one 


extended machine 


system composed of 


may be constructed upon another to form a 


levels of abstract (virtval) machines. 


Ze 





Pebtzereii¢} an@ Reed (11, 12) have discussed the 
advantages of resource virtualization and have described 
some use@ful interprocess communication mechanisms. The 
general design strategies presented in this and other 
research aid the operating system designer in developing 
system functions in a clean, logical, verifiable design. 

Miceesclection of an appropriate computer architecture, 
meren supports both functional requirements and tne 
efficient management of physical resources, often proves to 
be a more difficult issue. Frequently operating systems 
desien is shaped by the capabilities of system hardware. 
This may be a result of performance limitations or cost of 
available hardware, but often this course iS taken because 
traditionally, system design begins with hardware. Since a 
primary e?0al in operating syStms design is to create a 
mmmeeric Operational environment for the user, it would 
appear to be preferable to design from the desired 
environment ‘down to the hardware. In this way. all 
cOmponents of the system, software and hardware alike, are 
GCvaluated in the light of the ultimate goals of the system, 
and any incompatabilities between required functions and 
Maenraware capabilities will be discovered early in the 
design. Then, if modifications are required, design changes 
can be made at a high level which will preserve design 
integrity. LSI technology currently provides a wide veriety 


of relatively inexpensive microprocessor hardware from which 
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mame lect specific physical components. Furthermore, it is 
orten feasible to design special purpose harcware to 
meeertication. So the traditional restrictions on hardware 
versatility in systems design need not apply in many cases 
to microprocessor systems. 

iimeesummary, the top-down design philosophy can te 


applied to operating systems design in the following manner: 


Identify géneral and specific design goals. 
Derive functional design requirements. 
identify performance requirements. 

select system hardware. 

Develope kernel software. 

Develope the remainder of the O/S software. 


OMIP AN PR 


B. GENERAL DESIGN GOALS 


Althoush many design goals depend upon specific system 
Mmmeecation, there appear to be some attributes desiraetle in 
all operating systems. 

ime eorical Structure 

Computer system design is an engineering probdlem and 
the tools of the engineering design process should be 
applied to the development of software as well as hardware 
meron Clarity should be a major goal of any design for if 
the operating system cannot be understood easily it will be 
Meer cuit to test, difficult to maintain, and ES 
correctness will always be in doubt. A sound enginering 


design philosophy is not guaranteec to generate error free 
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etems, but if syStem functions are cleanly organized and 


well understood, then it is likely that there will te few 
Peeters and these can be corrected without difficulty when 
discovered. 
eee fault Tolerence 
If? an operating system is to be reliable, the 
software it uses must be protected from damage whenever 
possible. In particular, tasks performed by the system 
Should be isolated from another so that 4 malfunction (e.g., 
as tne result of hardware failure) in one task has no effect 
on others. 
S$. Efficiency 
The efficient use of physical resources (precessors, 
memory, periphals, etc.) continues to te a primary design 
Zoal. Fowever, since hardware is no longer tne scarce, 
Mmpensive commodity it oncé was, a concern for overall 
system efficiency (i.e., nighner thorugh-put, faster response 
time) may be more important. With appropriate component 
selection many software functions can be repleced by 
hardware functions that can provide an improverert in syster 


Merrormance at a small] additional hardware expense. 


C. SPECIFIC DSSIGN GOALS 


The family of operating systems designed ty O“Connell 


and Richardson prevides all of the services expected of a 
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mmeememO: the art, g£eneral purpose operating system. Many of 
these general services are not necessary in the SASS subset 
Gore family. The number of processes required by SASS is 
determined by the number of nost computers linked to SASS 
hardware. A design choice was made to fix this number 4t 
System generation time. Therefore Cynamic process management 
mmmetiones recuired;,; SASS processes exist for the life of the 
system. A primary function of SASS is tne transfer of files 
Detween host computers and SASS via bidirectional digital 
links. As a result, the system will have a low transaction 
rate, and the relatively fast response time desired in a 
time-sharing svstem is not required here. Sass dces not 
meovide programming services to users; the system strictly 
manages an archival storage system. Tnis eliminates the 
requirement for a user domain and because the demands on 
primary memory are not excessive, there iS No need for 
dynamic memory management. 
ornuer services of the general svstem provide 
essential support to SASS. These services include I/0 
management, file management, and the physical resource 
management and information protection functions provided by 
the Security kernel. 
mre SASS Fequirement to provide multiple host computers 
(users) with controlled, shared access to a multilevel 
secure data warehouse leads to several design goals. These 


meerudes internal security to proctect information in a 
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Meeemeri buted computer networks; configuration independence for 
System versatility; and a subsetting capability to support 
future system expansion to more complex memters of the 
design family. 
Mei nterntal Security 
A unique feature of SASS is the specification of 
[met iievel security aS a primary design goal. Multilevel 
memrity provides controlled sharing of information of 
varying sensitivity among many uSers in accordance with an 
meeess policy implemented internally by the operating 
system. It is essential that a system supporting a remotely 
mereessed data base contéining information of different 
access classes be provided witn an internally enforced 
eeeurity policy. 
Beeecontiguration Independence 
The resource configuration of a multicomputer system 
bs Highly changeable. Processors are added eé@énd removed; 
memory is reconfigured; interconnection schemes are altered 
dnd peripherial equipment is changed. The operating system 
of such a design shoulda be sufficiently flexible to permit 
maintenance and to allow for growth and reconfiguration 
without requiring drastic system redesign or noticeably 
affecting the user’s environment. 
eee 2ub=settineg Capability 
Operating system “sub-setting refers to the ability 


to form meaningful subsets of the design by eliminating many 
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of the services that can be provided by tne system without 
affecting the usefulness of the remainder of the System. 
Sub-setting permits the system to be tailored to fit a 
number of specific deSigns ranging from a Simvle monitor to 
a ar 1 service time-shared Computer Uti iigey = The 
implementation presented in this thesis creates a ronitor 
that provides multiprogramming and processor management. 
This subset supports more complex family members of the 


meemen such as SASS. 


D. CSSICN REQUIREMENTS 


mmc OD—-COwWn G@pprodadch to d@ésign. goals are clarified 
and defined by requirements which describe either tne system 
functions or address cost and performance issues (hardware 
requirements). The functional requirements defined below 
mmeoort tne specific design goals of SASS and provide 
features desirable in any operating system, such as a 
logical SemtetuGce, —tault tolerance, and efficiency of 
Om@erdation. 
me eunctional Requirements 
Funetional requirements define services which must 
be provided to support the user’s environment. 
meee rocess Greanization 
By designing an operating system as a collection 


Mieeecooperatine processes, syStem complexity can be greatly 
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reduced [€). This is because the asynchronous nature of the 
system can be structurec logically by representing each 
independent, sequential task aS a process and by providing 
mnterprocess communication mechanisms to prevent races and 
deadlocks during process interactions. 

The notion of a process provides a complete 
description of all instructions executed ard all memory 
locations referenced during the performance of a task. A 
process is defined by an address snace and ar execution 
Memnt. the address Space iS the set of memory locations 
which covld be accessed during process execution. (The 
process is viewed as a past, present and future history of 
memory locations which actually were referencec.) The 
Pyeeeution point is the state of the processor at a given 
Mmmm, GUring orocess execution. In the atstract view, an 
mere s> Space is defined by a collection to discrete poirts, 
GCach representing a memory word. The process is descrited by 
mee path traced through this address Space from process 
Smeation to destruction. In figure 5 the main path tréceés 
the process execution point as it moves from one instruction 
(i.e@., memory word) to another during process erecution. The 
branches from this execution point patn fYrepresent data 


references. 
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several advantages result from uSing ae process 
Oraentec design. As a tool for dealing with the asynchronous 
mepmre of syStem Operation, processes provide a Simple, 
logical, nighn-level structure for the design. For example, 
tae Secure Archival Storaze SyStem Supports each host with 
three processes: a I/O Manager, a rile Manager, and a Memory 
Manager, which interact to provide Secure file manaeerent 
Memeeces«6©6fOlCUMtthe)«6€Chhost. This interaction will be described 
Mmiriner in the next chapter. Since each process is confined 
moe a s@cific address space, tasks are isolated from one 
another and system fault tolerance is improved. Ey providing 
Mameeiternai representation for each user, a process nicely 
fits the definition of a subject in the Reference Monitor 
mraminerefore supports the design goal of providing internal 


security. 





be. Merory Segmentation 

The address space of a process is composed of a 
collection of segments. A segment is a logical collection of 
Mmeeormation (e.g., procedure, data Structure, file, etc.) 
and is the basic logical object of this design. Figure ¢ 
illustrates tne two-Gimentioneael nature of the segment 
address. Kach segment consists of an arbitrary region of 
memory containing a Sequence of words with conventional 
lineer addresses. Two-dimentional addressing frees 
information from dependence on a particular memory location 


Pyemekineg it arbitrarily relocatable. 


segmented Addressing 
CGotGar i>» Criss. 


Descriptor segment segment 4n 
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Figure 4 


iiemedeseriptor Segment provides a list of 
Meccriptors for all segments in a process address space. in 
addition, Segmentation Supports information Sharing since a 


segment mav pelonge to more than one address space. 
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segmention also provices a means of associating tiogical 
attributes and tlabelS with each Segment, such as access 
Meo, COMain, etc. This feature supports segments as 
internal representations of the Reference Monitors 
"object. 

mee AOS traction 

MEcme cae thon. provides a method for recucing 
problem comnlexity by applying a general solution toa 
collection of Specific cases [14]. Structured provsrammine 
provides a tool for creating abstraction in software design. 
Bees turictly applying two Special rules in addition to the 
memerrat principles of structured programming, a structure 
Memsisting of levels of increasing abstraction can be 
Soemetructurec. 

Ee Peeest, Calis Cannot be outward toward higher 
mec or abStraction. This frees lower levels from a 
dependence on higher levels by creating a LeCsaaree 
Structure [15] and results in a design which is capable of 
having subsets. 

Second, calls to lower levels must be by Special 
emery points or gates. Each level of abstraction creates an 
virtual hierarchical machine [9]. The gate to each level 
meevides aset of instructions created for that virtual 
machine. Thus higher levels may use tne resources cf lower 
Mevels Only by applying the instruction set of a lower level 


machine. (At domain boundaries, use of egétes is strictly 
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enforced by a ring-crossing mechanism; otnerwise gate use is 
[eereit in the structure of the software.) Once a level of 
abstraction has been created, the details er a) 
implementation are no longer an issue. Instead users See 
layers of virtual macnines , each defined by its extended 
Mmreoruction set. 

Bach process uséd in SASS is designed in levels 
of abstraction. When the rules of atstraction are applied to 
level ¢, the pnysical resources of the system, these 
resources are virtualized. Thus the first level of 
abstraction creates virtual processors, virtual memory’, 
mgs virtual devices from the een hardware. At each 
higher level the detail of the design is reduced. The gate 
at tne boundary between the highest level of the security 
kernel and the lowest level of the supervisor provides 4 
mechanism for isolating the xernel as well as insuring tnat 
each memory access iS via kernel software. This mechanism is 
implemented in SASS by a ring-crossing mechanism called the 
Gatekeeper. 

ieeenesource Virtualization 

The first levels of abStraction above sySter 
hardware create rat irae representations of physical 
resources Cmeetlalee processors, Virtual memory, virtual 
Memeoneais). Since upper levels of the design operate on 
these virtual resources, rather than on pnysical resources, 


most of the design (i.e., everything above resource 
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virtualization levels) is independent of the physical 
Memereuration of the system. Ey providing virtual to real 
memeurce binding in the kernel, and by enforcing entrv into 
kernel levels with the Gatekeeper, SASS protects physical 
resources from tampering and insures memory access onlv via 
the kernel. AS a result, the kernel modules of each process 
will guarantee that the system’s non-discretionary security 
Momrcy is enforced. Includine in the kernel only those 
functions essentiel to system security keevs it small and 


memmees tre jov of verification to manageable proportions. 


Pee tardware Requirements 


Virtual resources are created bdv tne multiplexing of 
various types of information on ae physical Resource. 
Multiplexing can te defined as the use of a single resource 
for different purposes at different times. for example the 
physical tus lines can be used botn for addresses anc data 
memrne different times during the machine cycle. Similarly, 
Pogical users of a hardware system can share rescurces. The 
Meeity tO multiplex processors and memory efficiently 
provides a mechanism for the virtualization of these 
physical resources. 

Bemerrocessor Virtualization. 

Mean tialspmecessor is) a data structure, that 
memedins a2 complete description of a process in exé€cution on 


eeepiysical processor at a given instant. This description is 





Contained in the process execution point. The address space 
of the process must be accessable to the virtual orecessor 
when it is loaded on (bound to) a CPU. To provide a useful 
Mmeedlization Capability, the CPU must have the ability to 
efficiently multiplex process exection points and address 
spaces (i.e., it must support multiprogrammineg). 

b. Memory Virtualization. 

In many memory handling schemes Process cannot 
run unless tne entire address space is loaded in primary 
memory. This may require a large main memory or it may 
restrict the size of the address space. An alternative plan 
requires an ‘operating system which manages primary and 
secondarv memory to create the illusion of &@ memory whicn is 
larger than the svstem’s primary memory. Since the larger 
memory 1s Only an illusion, it is often called virtuel 
storage. Toe logical, relocatable, information otjects 
created by memory segmentaion, provide an essential memory 
multiplexing mechanism for the efficient implementaticn of 
virtual storaeze. 

coer ro uection Domains 

An essential requirement of internal security is 
that the security kernel be isolated from other elements | of 
the system. This can be accomplished by the construction of 
protection domains. Frotection dOmains are used to arrange 
process address spaces into rings of different privilege. 


WMiS arrangement iS a hierarchical Structure in which the 
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[omer Oriviledeed domain is the innermost ring. The structure 
essentially divides the address space into levels of 
abstraction with strictly enforced gates at the ring 


boundaries (Figure 5). 


SASS Protection Rings 
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Figure 5 


Protection rings may be created in software, but 
@ hardware implementation, where gate use is enforced by 
hardware, is much more efficient [16]. 

eee peorectlom provided by the rine structure is 
mma security policy. (Security protection is implemented 
Byeea lattice structure ‘«nown to the Non-discretionary 
security module in the kernel.) It does, however, enforce 
the peerarcny of the virtual machine by creating a 


privilesed kernel ring within the supervisor rine. 


KE. HARDWARE SELECTION 


The manifestation of an operating system design is, of 


meurse, software in exe€cution on system equipment. If system 
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equipment must be selected early in the design, care must be 
meen tO insure that overall system design goels are 
Someavivle with actual hardware capabilities. If design 
goals must be met (e.g., the enforcement of internal 
security in SASS), then actual hardware selection should be 
eee late in the design process. Then, even if & poor 
hardware choice is made, the penalty for correcting it will 
be Small, since only the lowest level of the deSien (where 
resources are virtualized) need be changed. In any case the 
desien of the operating syStem and the design or selection 
Meeestvem herdware must proceed in concert. 
ieee cilog Z28¢01 

The Z@¢¢1 is a general purpose 15—tit microprocessor 

{17] with an architecture which suvports memory segmentation 
and two-domain operations. It was selected as the target 
machine for implementation of the system because of the full 
range of support and close match it provided to design 
requirements. These supporting features are descrited telow. 

a. Memory Segmentation 

The C€rU can directly access &M bytes of address 

Space using a memory segmentation capability nmrovided 
externally by a Memory Management Unit (2Z8@1@ MMU). The 
25-bit address required to address &M bytes is a logical two 
dimensional address consisting of a 77-bit segment number and 
a 16-bit offset. The memory management unit converts this 


into a 24-bit address for the Due tca memory. 1 Ne sw ddaress 
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Space can be divided into as many as 126 relocatabdle 
Segments containing up to 64 bytes each. Each merory 
Seement can be assigned several attributes which rrovide 
memory access protection (read only , system mode only 
(i.e., ring #), execute only, etc.) and memory management 
data (changed, referenced). With these capabilities the 
Z260@1 CPU can support all requirements for sé€gmentation, 
memory virtualization and protection domains. 
Peel Liproeramming 

Processor multiplexing is supported by the CFU’s 
meeeoiproeramming capabilities. MULTI-MiCRO instructions aid 
in establishing a synchronization mechanism (by mutual 
exclusion) tetween multiple processors. Seperate stack, data 
and code address snaces are maintained for each fringe of 
@eeration. The load multiple instruction allows the contents 
of resisters to te saved and loaded efficiently. These 
memmmres permit efficient storing and loéding of process 
meeecution points. 

Address Space multiplexing is also Supported but 
is somewhat inefficient. In some systems, such as Multics 
P1€].a descriptor base register (DER) is provided to point 
to a process descriptor segment in memory, so changing the 
address space of the physical processor is accomplished 
Merely by chéenging the DBR. Since the Z&@¢1 CFU implements 
the descriptor segment as a collection of descriptor 


meersters in the MMU, all of the descriptors for the address 
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Meeee MUSt be saved anc loaded to changes processes. This can 
make processor multiplexing (multiprogramming) auite 
Meer icient. In the worst case, when the entire MMU is saved 
and loaded, a process Switch will take about 2 ms. It may de 
possible to improve on this performance by increasing the 
number of MMU“s in the system. Then the address Space can de 
emeneed Simply by switching control to aoe MMU. 
c. Two~Domain Operations 
The Z&¢€@i CPU can operate in either system mode 
or normal mode. [In the system mode all operations are 
@ilowed, but in the user mode, certain system instructions 
mpemepronibited. The system call PSs tEUC Ton allows 
mor trolled EttGhyento thle s'’stem mode. This two-domdain 
Mmmeuruction capability supports the two domain sturcture of 
mee DY providing a Single controlled entry into the kernel 
eee rsn CALL instruction). The descriptors contained in tne 
meeerefisters provide the capability to partition process 
Mmeness Spaces into supervisor and kernel domains. 
poe oelection Rationale 
Mtemcharacteristics listed above - processor 
multiplexing support, a memory segmentation capability, 
Mev iple domain insturctions, and multiple domain memory 
Bertitioning - are features which are erin to an 
Ptarcient implementation of SASS. The dZEC€C1 has other 
desirable features: vectored and non-vectored interrupts, 


large, powerful instruction set, many data types, etc. These 
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attributes make the Zilog system a suitable choice as a bare 


machine for the Secure Archival Storage System. 


PeeesuUMMARY 


This chapter has provided a description of the 
methodology emploved in the design and specification of 
SASS. In particular it was noted that a top-down desien 
philosophy most effectively suvported implementation of 
System design goals. Requirements Supportine the primary 
design geal of internal security and other general and 
specific goals were defined and traced to desired hardware 
capabilities. hina, capabilities Giomailoe Suceava! 
Mepermoprocessor wnich support the SASS design were cescrited. 

Chapter Three will provide an overview of the SASS 
design. The design will be described from a process 
viewpoint and the hierarchical structure of the distributed 


Kernel will te examined. 
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The hign level deSign of the Secure Archival Storage 
Semeem Car be described by a collection of cooperating 
processes. The use of processes to perform operating system 
functions greatly simplifies the problem of descriting the 


asynchronous manner in whicn services are reauested. 


Pere OCESS VIEW 


There are two kinds of processes within SASS, supervisor 
Meee ooe> and Kernel processes. Supervisor processes provide 
high level services to host computers [2]. Certain functions 
of meee Operating system dare distrituted throughout all of 
these yvrocesses; that 15. supervisor precesses Iicgically 
Share a collection of distributed kernel modules. Xernel 
processes provide svecialized services within the operating 
System. The system user is not aware of the existence of 
These processes, but they ere called upon, within the kernel 


domain, by supervisor processes to perform necessary 


Meerating system functions in support of user services. 
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ime oupervisor Frrocesses 


OmewvelG ©: SUDErVisor processes, an I1/C Manager and 
a File Manager, represents @ach computer host supvorted dy 
BaoS. 

mreevile Manageer controls SASS ance directs all 
Mmmeeraction between SASS and computer hosts in order to 
maintain a structure of nierarchical fiies on benalf of each 
host It interprets commands received from hosts via the I/€ 
Manager and coordinates toe execution of requested services 
with assistance from the I/O Manager and the Memory Manager 
(described below). 

The I/O Manarer transfers information via a link 
Meeeween C€ach host and SASS. bata is transfered by fixed-size 
meemetS in command, data, and synchronization formats. The 
1/0 Manager provides only a transfer service and does not 
interpret the data. 

Ee . verre} Seb lees ses 

Tne two kernel processes used by SASS are the Memory 
Manager and the Idle process. The Memory Manager controls 
primary and secondary memory. The design of this process is 
the topic of concurrent thesis research [3]. The Memory 
Manager transfers segments tetween primary and secondary 
memory in response to requests from Supervisor processes. 

The Idle process defines the no work state of the 
Meeyem. ocoAos attempts to schedule uSetul work on syStem 


processors whenever possitle. Only when there is no work to 





Memecone, (f(i.e., no Commands vending from nosts) will this 
meocessS be called upon to execute. 
eee Lost Environment 

Fost computers view SASS aS a remote data warehouse 
where they may store and retrieve files (figure €). Each 
Mois provided with a virtual file hierarchy constructed 
MemmectccCtory and data files. A pair of SASS supervisor 
processes (an I/0 Manaseer and a File Manager) provide each 
host with a sét of commands by which it mav store and 
Merpeve files in itS virtual file System and Share files 
Mma other hosts. The distributed kernel functions of each 
process control tne physical resources of the system in 


Smeport nost commands and SASS Security policy. 
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EeeeeviTUAL MACEINE VIEW 


meee Cistribvuted modules of the security kernel create a 
virtual hierarchical machine which cComtrehs process 
Mmeeeractions dnd manages physical processor resources. The 
Meee! 15 not aware of tre details of process tasks. It 
knows each process only ty a name (viz., an entry number in 
a table) and provides processes with Scheduling and 
Memeerprocess communication services based on this process 
identifier. All supervisor processes share the modules of 
this virtual hierarchical machine (Figure 7). 

meee xernel is constructed in layers of abstraction. Hach 
fee Or «Level, builds upon the resources created at lower 
levels. The rules of abstraction described in Chapter <2 were 
muemeca tO the design of this structure. Level @ is the bere 
machine which provides the physical resources (processors 
memes StOraze) upon which the virtuél machine is constructed. 
The remainder of this chapter will describe the level of 
virtualization (or layer of abStraction) created ty each 
feereributed kernel module. 

meeeeinner Traffic Contreller Module 

Level-1 of this virtual machine is the Inner Traffic 
Controller Module. This module creates a set of virtual 
processors with the extended instruction set: SIGNAL, WAIT, 
SWAP VDBE, IDLE, Sol ee nee oe, V Pio i and 


RUNNING VP. 
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SIGNAL and WAIT provide an Piterorocess or 
communication mechanism used within the kernel to provide 
multiprogramming. These instructions invoke the level-1 
Scheduling procedure, GSTWORK, which multiplexes virtual 
SegieesSOrs On a physical procéssor. 

SWAP _VEBR and IDLE are instructions invoked from 
Meee by the Traffic Controller Module to schedule 
processes on a virtual processor. 

Peeves EMET and TEST VPREHEMPT create a virtual 
processor interrupt mecnanism. SST _VPRSEMPT is invoked from 
meeei—- When the traffic controller desires to load a new 
mmg@eess On @ virtual processor that is not scheduled. 
for PRAM is invoked by the Gatekeeper of each 
jeer. outed process upon every exit from the kernel doméin. 
The Gatekeeper unmesks virtual interrupts by testing the 
interrupt flag of the scheduled virtual processor. If the 
eae is set, a virtual interrupt handler is invoked, 
otherwise the process enters the supervisor doméin normally. 

RUNNING Vr is invoked from level-2 to provide the 
[earfic Controller with the identity of the currently 
scheduled virtual processor. The identity of a particular 
processor must be known in the virtual environment, just as 
the identity of a physical processor is frequired in a 


feeeotprocessor system. 
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Pee statfic Controller Module 


The Moai eve COuLnoOLler == reSides at level~2. It 
manages the scheculing of processes cn virtual processors by 
invoking the extended instructions of the virtual processors 
in level-i. In addition to implementing the level-2 
scheduling aleorithm, the Traffic Controller creates the 
fmeemaed instruction set: ADVANCE, AWAIT, and PROCESS CLASS. 

ADVANCE and AWAIT are used to implement eventcounts 
and sequencers [11], an inter-processor communication (IPC) 
mechanism invoked by the supervisor. Although SIGNAL and 
WAIT provided an ad@quate inteérprocessor synchronization 
mechanism within kernel, Parks (2 ] determined that 
Supervisor process synchronization would be more effectively 
Served in the Secure environment of SASS by the use of 
eventcounts. 

Peis ChASc 16 invoxed from level-3. Jt returns 
the label, subject access class, of the current process for 
Setwermininzg a subject-object relation. 

meeesoecveculing 

Scheduling functions are divided between the 
Mumpeeeerrdffic Controller and the Traffic Controlier. The 
Mmemereiraffic Controller multiplexes virtual processors on a 
Mee The Traffic Controller scnedules processes on virtual 
processors. 

Tne division of tne scheduling algorithm between 


these two levels simplifies its design, because it seperates 
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the issues On virtual Processor management 
(multiprogramming) from virtual memory management [12]. A 
design choice was made to provide each system CFU with a 
mere tixed set of virtual procé€ssors. Since the virtual 
processor data base is Shared by all system CPU’sS, it rust 
remain permaentiv in global memory. 

The process data base, used to implement level-2 
scheduling will be much larger. Since supervisor precessors 
are known to the entire system, thiS data must also be rept 
ieee robal memory. Because level-2 is subject to merory 
management, this data could be Kept on secondary storage and 
moved to primary memory when requested. 

SASS does not provide dynamic memory management, 
bPeerefore the two-level scheduling design presented nere is 
not essential to the design. However, the structure has been 
meeviced in this implementation to support more complex 
family members of the O°Connell-Richardson design. Figure & 
Pilustrates tne two levels of scheduling employed ty the 
distributed kernel. 

The two virtual processors (Mem_Mer_VP and 
Idle VP in Figure 8) are permanently tound to kernel 
processes and are not in contention for process scheduling. 
The remaining VP°s are temporarily bound tec supervisor 
processes as determined by the Traffic Controller. If ao 


Supervisor process is available, the Traffic Controller 
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invokes the Inner Traffic Controller (IDLE) which lcads an 
Meer process on the virtual processor. 

mace Innere Jrartic Controller scnedules virtual 
Beeeessors on the physical Processor. ready aslje jive sedl 
processors with temporarily bound idie processes (VP #1 and 
VP #2 in Figure &) will be scheduled only to give an tiéle 
process away for a supervisor process (i.e., wnen virtual 
meee flee is set). The Idle process will actually run 
meeme the virtual processor to which it 1S permanently ound 
(the Idle-VF in Figure ©) iS Scheduled. This will havpden 
only when all other VP’s are waiting or temporarily bound to 
Idle processes, i.e., when there is no useful work for the 


CPU. 
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meenOn=Lbiscretionary Security Module 

PnewNom—LDiscretionary Security module in level-Z 
reflects the systems Security policy. It compares two 
mes, subject and object access classses, passed to it bv 
memer modules, and returns tne relationshin cof the labels 
Mmrrecnon a lattice structure known to it. To perform this 
mre tion it provides the extended instruction, RELATION, 
which is used by the Event Manager @nd the Segment Manager 
to determine access permission. These modules maxe cdecisions 
MemereaccesS based on the relationships: equal, less than, 
greater tnan, and not related. The Non-discretionary 
pecurity module is the only module which interprets the 
labels themselves. A different sé@curity policy (e.f., 
Privacy Act vs DOD) can te implemented simply by changing 
Mmiemrattice structure used in this module. 

&. svent Manager Module 

The Event Manager is a level-3 module invoked ty 
Supervisor processes via the gatexeeper. This module creates 
estes 6«6Ofd€6Cecxtended)6€6vinstructions: AIVANCE, AVAIT, READ and 
TICKET. It determines the access permission of desired 
muperprocess communications ana ottains a global handle from 
a Memory Manager data base where event data is stecred. If 
access is permitted, the event manager passes this handle, 
Meeen identifies the event, to the Traffic Controller where 
Mrewenpprovriate event count instruction is invoked. For 


Sequencer overations the Memory Manager iS invoked directly. 


on 





Mmemeuse of the nandle is necessarv because of the desien 
choice to store event data ina data base of the Memory 
Manager [3]. This insures thet inter-domain IPC does not 
Molate SASS security policy. 

5. Seement Manager Module 

The Segment Manager also resides in level-2. This 

module creates a set Ofawekttentded InStruztions for 
mamepuldting segments. These instructions ere: CREATE, 
DELETE, SWAP IN, SWAP OUT, MAKE KNOWN, and TERMINATS. 
Modules of tne supervisor domain invoxe these instructions 
memeoordinate host Support. CREAT: and ERLETE add and remove 
segrents from the system. SWAP IN and SWAP OUT cause a 
Segment to be moved tetween primary and Secondary mremory 
me.e., between &é ovaged disk and contiguous memory). 
MAK® KNOWN and TERMINATS add and remove a segment from a 
Mmocess address space. 

6. Gatexeener Module 


The Gatekeeper exists on the boundary between the 


kernel and supervisor domains. It proaviaes tne sole entry 


rs 


Memmt into the kernel domain, so when the Execution noint o 
€@ process enters the kernel domain of its address space it 
must do so through the Gatekeeper. se 

The hardware of the MMU partitions precess address 


Spaces into two domains by Settine the ring number ‘(zero or 


one) in each segment’s 


Si 





Mememeoute rerister. Software provided by the Gatexeenver 


memeeerms the following additional functions: 


Kernel intry 
MenonnMask Cardware interrupts. 
2. Save supervisor domain registers. 


Remesave SUpervisor stack pointer in kernel stack 
segment. 


4, Check arguments and invceke appropriate Xernel 
enury, pDOlNnts. 
Con ualemacnine instructions) . 
Cerne lsu t 


1. Invoke TEST VPREEMPT 
(ise., umnask virtual interruots). 


meee sOre SUDErV1ISOr Gomain stack pointer. 
OS. Hestore supervisor domain rezisters. 
Pea URmesmenaraware inLerrvots. 


Sete turn to process execution bdoint in 
Poe Supervisor domain. 


C. REVIEW 


This chapter has described the high level design of the 
secure Archval Storage System kernel from twe points of 
view. In the process view the syStem iS composed of pairs of 


Supervisor processes (an I/0 Manager and a File Manager) for 
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each host computer and a pair of kernel processes (a Memory 
Manager and an Idle procéss) for each real processor in the 
Seevem. The Supervisor processes provide nigh level services 
to host computers while the kernel processes control system 
memory resources and provide an ine te system State. 
ies. ri buted werne! Mute OSM LeMen Gu bwOmmLeVel’sSs of 
memecaculing, provide interprocessor Syncaroni za vices and 
communication, manage Segments, and isolate and protect the 
memmel domain of precess address spaces. The distrituted 
Mernel is constructed as a hierarchical virtual machine. 
Meemaence of tne versitility of tne loop-free, ccenfigvration 
Mmeeependent Structure of this design carn be observed in 
concurrent thesis work in this eérea [19}. An Intel S726 
Gmitaprocessor operating syStem implementation, daSed On tne 
same design, uses eEssé€ntially the same virtual insturction 
Bepedescribed in this chapter. An implementation of the 
mmot two levels of this kernel machine is presénted in the 


next cnapter. 





Implementation of the distributed kernel was simplified 
Seeeene Hierarchical structure of the design for it permitted 
meeodgical bdottom—up construction of a Series of extended 
Sememenes. This approach was particularly useful in this 
implementation Since the vare machine, the ZEALL 
Developmental Module, was provided with only a sméll amount 


of software support. 


Pe EVETLOPMENTAL SUFPORT 

A. Zilog MCZ Developmental System provided support in 
@eveloping ZECCE machine code. It provided flonvpy disk file 
Mamagement, a text editor, a linxer ance 4a loader that 
created an image of each ZECLZ load module. 

A Z&8@@2@ Developmental Module (DM) provided the necessarv 
Nafdware support for operation of a Zeve2 nen-sSegmented 
Meecroprocessor and i6K words (32K bytes) of dynamic RAM. It 
included a clock, a USART, serial and parallel I/O support, 
moma CK PROM monitor. 

The monitor provided access to processor registers and 
memory, single step and break point functions, basic I/0 
functions, and a download/upload capability with the “CZ 


system. 





nce a segmented version of tne processor was not 
available for system develCpment, Seomentation hardware was 
simulated in software as an MMU image {see Figure 9). 
Mepmouenh this data structure did not provide the hardware 
Smpport (traps) required to protect segments of the xeérnél 


domain, it vreserved the general structure of the design. 


MMU_IMACE 


Ope Sut ATTRIBUTES 
Bren byte, Low byte Sze bei tes 








Figure 9 


B. INNER TRAFFIC CONTROLLER 


The Inner Traffic Controller runs on the bare machine to 
create a virtuel environment for the reméinder of the 
system. Only this module is dependent on the Onis Cars 
processor configuration of the system. Mig a he here Wew omen. 
my a set of running virtual processors. A xernel data 


Dase, the Virtual Processor Table is used ty the Inner 





Traffic Controller to create the virtual ervironment of this 

first level extended machine. A Source lisSstine of the Innér 

mratric Controller module is contained in Appendix A. 
Meeevirtual Frocessor Table (VPT) 

The VPT is a data structure of arrays and records 
that Maintains the data used by the Inner Traffic Controller 
Momerultiplex virtual processors on a real processor and to 
create the extended instruction set that controls virtual 
Megeessor operation (see Figure 1¢). There is one tatle for 


each physical processor in the system. Since this 


Mm 


implementation was for 4a uniprocessor system (the ZEGCe DM), 


Only one tadle was necessary. 


Virtuel FProcessor Table 


LOCK 
PUNNING LIST 
READY LIST 
FREE LIST 


ee wera; PRI , STATE pre lp Ee ee cee se Lo 
ex ne fe 
u ee 


MSG MISSAGE | SENDER | NEXT MOG 


[=a |  &#x|. 
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The table Conmcimmcm ad LOCK Which Suppsrts 4n 
exclusion mechanism for a multiprocessor system. It was 
provided oo cmon emenvdtlone only to préserye the 
generality of the design. 

The Descriptor Base Reeister (DER) binds a process 
moma virtual processor. The DBR points to an MMY_ IMAG: 
Memeagining the list of descriptors for Segments in the 
Meee ss address space. 

A virtual processor (VF) can be in ore of three 


states: running, ready, and waiting (figure ii’. 


Virtual Processor States 





> 


VP 





FIGURE 11 


ae 





A running VF is currently scheduled on a real processor. A 
ready VF 1s ready to be scheduled when selected ty the 
Mewer—-l Scheduling algorithm. A waitine VP is awaitine a 
Memrease t10m some other VF to place it in the ready list. In 
Bmemmeantime it is not in contention for the reali procéssor. 
Pomecpevel=1) Scheduling 

[PeGvudieprocessor stdte changes are initiated ty tne 
mere r-Virtual-preocessor communication mechanisms, SIGNAL and 
pete rnese level-1 instructions implement the scheduling 
mommcy Oy determining what virtual processcr to bind to the 
real processor. ieee ulate DIndine wand un Dioadine is 
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meummmeormed DY a Processor switching mechanism caliec SWAP DER 
[1g]. Frocessor switching implies that somehow the execution 
Mumeeand adcress spece of a@ néw process are acquired ty the 
processor. Care must be taxen to insure that tne cold process 
b> Saved and the new process loaded in an orderly manner. & 
solution to this problem, suggested by Saltzer [1€], is to 
desien the switching mechanism so that it iS a cormon 
procedure having the same segment numvdver in every address 
Space. 

In this implementation &@ processor register (14) 
was reserved within the switching mechanism for uSe as a 
DBR. Processor switching was performed by saving the old 


Meecution point ( i.e., processor resisters and flag control 


(1 
(O 





word), loading the new DBR and then loading the new 
Mmeomwtion point. The processor switch occurs at the instant 
the DBR is changed (see figure 12). Because the switching 
procedure is distributed in the Same numbered Segment in all 
mmaress Spaces, the “next instruction at the instant of the 
memtce will have the same offset no matter what address 
Memeenme the processor iS in. This is the key to the proper 


operation of SwWAP_DBR. 


OoNVAP DBR 
Process #1 Process #2 
Address space Address space 
Call SWAP DBR 
Save return point 
Omecall stack. 
(Precess #1) 
Save execution point , 
Swap DBE (R14) ----+---+--------- > Swap DER (214) 
‘ processor 
: Switch 
° Load néw execution 
es 
Load return point 
from calle stacs 
(process #2) 
Figure le + 
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To cenvert this switching mechanism to segmented 
Mearagware it 1S necessSsery merely to replace SWAP _LEF with 
special I/0 block-move instructions that save the contents 
foeeome SMU in the appropriete MMU IMAGE and load the 
contents of the new MMU_IMAGE into the MMU. 

a. Getwork 

oe ere SeoOntained within an internal Inner 
lmemerae Controller procedure called GETYORK. In addition to 
multiplexing virtual procéssors on the Crus Colones 
interprets the virtual processor Status flazs, IDLE and 
PREEMPT, and modifies VP scheduling accordingly in an 
attempt to xeep the C°U busy doing useful work. 

There are actually two classes of idle processes 
min) ni Mie yotem. one €lassS belones to the Traffic 
Mmapmmrorter., Conceptually there is 4 redadv level-2 idle 
process for each virtual processor availatle to the Traffic 


+ a 


Moemvroiler for schedyvling. when a running process tiliockxs 
Mmesert, the Traffic Controller schedules the first ready 
Mmmeeess>., This will be dan idle process if no supervisor 
processes are in the ready list. 

iicmeseccoma  elass of idle process exists in the 


mernel. The wernel idle process is permanently tound te tne 


memeot Priority virtual processor. 


Ei 





The distinction is made between these classes 
pecause of the need to keep the CFU busy coing useful work 
Mememever possible. There is no need for GETWORK to schedule 
a level-2 idle process that nas been loaded on a virtual 
processor, because the idle process does no useful work. The 
virtual eee Oly BUemoMAG ee inci cates. that a virtual 
processcr has been loaded with a level-2 idie process. 
GETWORK will schedvle this virtual processor only if the 
meeerer flaz is also Set. The PREEMFT fla2e is a Signal from 
Mmemeiratffic Controller that a supervisor process is now 
meady to run. 

AemeGei sor. can find no otner reedy virtual 
Meee ssors with IDLE and PREEMPT flaes off, it will Select 
mmmeerivial processor permanently bound to the kernel Idle 
mmeeess. Only then will the Idle process actually run on the 
eeu . 

Getwork contains two entry points. The first, a 
normel entry, resets the preempt interruot return flag. (R2 
is reserved for this purpose within GETWORK.} The second, a 
Memeoware interrupt @ntry point, contains én Le pen pit 
Handler which sets tne preempt interrupt returr flag. The 


DBR (P14) must also be set to the current value ty 4z 


“4 
= 


procedure that calls GETWORK in order to permit the SWAP DPA 


portion of GETWORK to have access to the scheduled process ‘s 





address space. Upon completion of the processor switch, 
PeeworkK examines the interrupt return flag to determine 
whether a normel return or an interrupt return is required. 
The PAaCOweremminvernupt entry  volnt in GETwORK 
Suoports the tecnnique used to initialize the system. Sach 
Moree ss addréss space contains 4 kernel domain stack segment 
used by SWAP-DER in GETWORK to save and restore Yr states. 
For the seme reason that SwAP-DBER is contained in @ system 
wide segment number, tne stack segment i1n @ach process 
addresS Space will also have the Same number (Sepmrent #1 ir 
this implementation). Edens vache sercment iS initially 
created as though it’s process had been vreviously preempted 
Meee hardware intérrupt. This greatly simplirieés the 
initialization of processes at system generation time. The 
memes Of system initielization will be cescrited later in 
mas Chapter. I[t is important to note here, nowever, tnat 
GETWORK must be able to determine whether it was invoxed by 
a hardware preempt interrupt or by a normal call, before it 
mame xectite @ return to the calling procedure. This 15 
because a hardware interrupt causes tnree items to te placed 
mmm the syStem Stack: the return location of the caller, the 
flag control word, and the interrupt identifier, whereas a 
meemal Call places only the return location on the stack. 


Mmerefore, in order to clean up the stack, GETWCRE rust 





execute an interrupt return (assembly instruction:IRET: if 
entry was via the hardware preempt handler (i.e., PZ set). 
Mememernstruction will pop the three items off the stack and 
Memurn to tne appropriate location. If the interrupt return 
meee i’, 15 off, &@ normal return is executed. 

During normal operation, SwWAP-DER manipulates 
process stacks to save the old VP state and load the new YP 


mate. (his action proceeds as follows (figure 13): 


fer ne Flaz Control Word (FCW), the Stack Pointer (815) 
and the preempt return flag (R@) are saved in the cle 
VF°s kernel stack. 


2. The DBR (R14) is loaded with the new VP’s DER. This 
permits access to the address space of the new process. 


Seeetne Flag Control Word (FCW), the Stack Fointer (215) 
and the Interrupt Return Flag (2@), are loaded into the 

eeencopriate Cru registers. 

4 mews tested. If it is set, GsTWORK will execute an 


—_ @ 


Mmaigerrvupt return. If it is off, a normal return occurs. 





Kernel Stack Segments 
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By @onstructing GETWORK in this way. both systen 
/memeralizadtion and normal operations can be handled in the 
Same way. A high level GETWORK algorithm is giver in figure 
14. 
Mammorritudl Frocessor Instruction Set 

The heart of the SASS scheduling mechanism is the 
Meeernai procedure, GHTWORK. It provides a powerful internal 
primitive for use by the virtual processors and greatly 
simplifies PicmOcSuemmOor sthe valmtual processor instruction 
Semee Virtual processor instructions perform three tynves of 
functions: multiprogramming, process management and virtual 


maberrupts. 





GETWORK Procedure (DER = R14) 
Begin 
Reset Interrupt keturn Fleg (Rk?) 


Skip hardware preempt handler 
Harcware FPreempt Entry: 
Set DBR 
Save CPU registers 
meave SUPE TVisor stack pointer 
Set Interrupt Return Flag (R@) 


Get first ready VP 


Do while not Select 
jee tele flag is set then 
fMerreempt flag is set then 
select 
else 
pet next ready YP 
end if 
else 
Select 
end if 
end do 


SWAP DBR: 

Save old VP registers in stack Seement 
Swap dbr (R14) 

Load new VP registers in stack se2ment 


Mmeeinterrupt Return Flag is set then 
unlock VPT 


Simulate GATEKZEFPER exit: 

Call TEST VEFREEMPT 

Restore supervvisor registers 
Restore Supervvisor stack pointer 


Execute Interrupt Return (IRET) 
end if 


Sxecute normal return 


end GETWORK 


Figure 1¢ 





SIGNAL and WATT provide Synchronization and 
communication between virtual processors. They multiplex 
Mmeepeal processors on a4 CPU to provide multiprogrammine. 
This implementation used a version of the signal and wait 
algorithms proposed ty Saltzer [(1¢]. In the SASS design each 
CFU is provided with a unique (fixed) set of virtual 
Moree ssors. Tne interaction among virtual processors is 4 
Belt of multiprogramming them on the real precessor. Only 
Mummers budl processor is able to access the YOT at a time 
because of the use of the VFT LOCK (SPIN LOCK) te provide 
Mma E€xXxClusion. Therefore race and deadlock conditions 
will not develop and tne signal pending switcn used ty 
Saltzer is not necessary. 

This implementation also included message passing 
mechamism ROWE OEOVIided Vby Sdltzer. Tie message slots 
Peeeable for use by virtual ovrocessors are initially 
contained in a queue pointed to by FRaoE-LIST. When a message 
is sent from one VP to another, a message siot is removec 
from the free list and placed in a rIkFO mesSare queve 
belonging to the VP receiving the message. The nead of each 
VP°S mesSage queve iS pointed to by MSG-LIST. Fach message 
Slot contains a message, tne ID of the sender, and a pointer 
to the next message in the list (either the free list or the 


VP message list. 
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(OL etneovnbeween provide the Traffic Controller 
with a means of scheduling processes on tne running VP. 

ever esMP? anewelssl VFRESMPT install a virtual 
Pocerrupt mechanism in each virtuvel ovrocessor. Yhen the 
Traffic Controller determines that a virtual oprecessor 
meouyd Five up its process because 4 higher priority process 
is now ready, it sets the PREEMPT flag in that VP. Then, 
even if an idle process is loaded on tne VP, it will te 
scheduled and will be loaded with the first ready process. 
Meet VPreempt is a virtual interrupt unmaskinge mechanism 
which forces a4 process to Examine tne preempt rlag each time 
it exists from the kernel. 

ae Wa) £ 

WAIT provices a means for a virtual processor to 
move itself from the running state to the waiting state when 
Meenas no more work to do. It is invoked only for system 
Memos that are always of short duration. It is supportec by 
three internal Procedures. 

Tue LeGkmenaphes taeerunning VP to fain control 
of the Virtual Processor Table. This procedure is only 
Memeessary in a multiprocessor environment. Tne running VP 
will have to wait only a short amount of time to gain 
Control of the VFT. SFIN LOCK returrs when the VF has locked 


mire VPT. 
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GETYORK loads the Pee Stmchicible virtual 
processor of the ready list on the real processor. fFefore 
mito procedure is invoxed, the running VF is placed in the 
ready state. Both ready and running VP’s are members of a2 
PIFO queue. GeTWORK selects the first VP in this ready list. 
loads it on tne CPU, and places it in the running state. 
When GETWORK returns, the first VF of tne queue will always 
be running and the second will be the first VP in the ready 


queue. 


Cf 


COl~=@etol VGosnae heturns the first message of 


the message list (also managed as a FIFO queue) associated 


mm the running VP. The action taxéen ty Wilt is es follows: 
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WAIT Procedure (Returns: MSg, Sender ID) 
Begin 
recmvel (catl SPIN TO0CK) 
If messege list empty (i.e@., no work) Then 
Move Vr from running to Waiting state 
Schedule first EGligitle Ready VD (call GETWCRL) 
end if 
(NOTE: process suSpended here until 
Muereceives @ Signal and is 
selected bu GETWORK. ) 


Get first message from mesSage list 
(call GET FIRST MSG) 


Valock VPT 


Return 


end WAIT 


If the running virtual processor calls WAIT and 
there iS a meSSape in itS meSSage liSt (placed there «hen 
another VP signaled it) it will get the messege and continue 
momrun, if the mesSage list is empty it will place itself in 
Muemeecit State, schedule the first ready virtual processor, 
and move it to the running state. The virtual vrocessor will 
remain in the waiting state until another running VP sends 
it a message (via SIGNAL). It will then move to the ready 
mre Sindllv it will be selected by GETWCRE, the next 
instructions of WAIT will be executed, it will receive the 
Messafe for which it was waiting, and it will return to the 


caller. 
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eo Lend 1 

Vessartesomane—sassed between virtual processors 
by mecmernstruction, sIGNAL, which uses four internal 
meoeedures, SPIN LOCK, ENTER_MSG LIST, Aen eA and 
GETWORK., 

Sei muOCwmmassexplalned above insures that only 
Mmeevirtuel processor has control of the Virtual Processor 
Table at a time. 

Hires | emandges a r]rO messeee queue for 
Peeeae virtual Processor and for free mesSagesS. This queue is 
of fired maximum length because of the implementétion 
meecision tc restrict the use of SIGNAL. aA running YTF can 
send no more than one message (SIGNAL) before it receives a 
reply (i.e., WAIT’s for a message). Therefore if there are N 
Mmentudl processors per real processors, the message queve 
menethn, L, is: 

oa — | 

MAKE READY manages the virtual processor ready 
queue. If a mesSage iS Sent to a V& in the waitine State, 
MAKE READY wakes it up (it places it in the ready state) and 
mumee rs it in the ready list. If & running VP signais a 
feemeene VF of higher priority, it will place itself back in 
the ready state and the higher priority VP will be Selected. 


The action taken by signal is as follows: 
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SIGNAL Procedure (Message, Testination YF) 
begin 

fccgmeurt Nicall oF IN LOEK ) 

Send message (call ENTER MSG LIST) 

Peesvenaled VF 1S Waiting Then 

wake it up and make it ready 

(call MAKE READY) 
end if 


Fut running VP in ready state. 


schedule first elgible ready YP 
(call CETYWORK) 


mock VET 
Return (Success _ code) 


mond SIGNAL 


Sr OA VbOR 

Sse eco emconvelins fie Seme processor switching 
mechanism used in SWAP_DER, but applies it to a virtual 
processor rather than a real processor. Switching is quite 
Simple in this virtual environment because botnr processor 
execution point and address Space are defined ty the 
Meemeriaptor S8ase Register. SWAF VUSR is invoxed tv the 
Traffic Controller to load a new process ora virtual 
processor in suvport of level-2 scheduling. It uses GETWORE 
more control the associated level-1 scheduling. The action 


meacen by SWAP YVDER is: 





SWAF VDBR Procedure (New_DER) 
begin 
focmeave. (Call SPIN LOCK) 
Load running VP with New_LEk 
Flace running VP in ready state 


Schedule first eligible readv VP 
(call GETWORK) 


Malock VPT 
Return 


End SWAP_VDER 


Vase IiitnemMemtces lon one restriction 1s plecec 
Meon the use of this instruction. If a virtual ovrocessor’s 
message list contains at least one message, it can not give 
up its current DEH. This problem is avoided as the natural 
Pesult of using SIGNAL and WAIT only for system events, anc 
Bye@iseking  preempts within tne kernel. If this were 
permitted, the messages would lose their context. (The 
Meoseces ina VP MSG LIST are actually intended for the 
meocess loaded on the VP.) 

Gem es 

WicmeliieomenStruction loads the [dle CEP on the 
Bunning virtual processor. Only virtual processors in 
meutention for process scheduling will te loaded by this 


mmeotruction. (The Traffic 





Controller is rot even aware Oba Ven GWearl processors 
permanently bound to Kernel processes.) 

IDLE has the same scheduling effect as 
Beers DR, but it also sets the IDLE FIAG on the scheduled 
VF. The distinction is made between the Two cases decause, 
Beeemouen the Traffic Controller must schedule an idle 
process on the VP if there are no other ready processes, the 
Inner Traffic Controller does not wish to schedule an fdle 
VP if there is an alternative. Tnis would be a waste of 
Meysical processor resources. The settine of the IDLE FL&G 
meee iratfic Controller aics the Inner Traffic Controlier 
moma kine this scheduling decision. Logically, there is an 
idle precess for each VP; actually tne same address space 
(DBR) is used for all idle processes for the Same CPU, since 
only one will run at a time. As vnreviously explained, 
Mepeual processors loaded by this instruction will te 
selected by GETWORK only to give the Idle process away fcr a 
SemmeoeocessS in response to a virtual preempt interrupt. The 


eeeraon of IDLE is: 
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IDLE Procedure 
pegzin 
noe@ravrt (call SPIN LOCK) 
Toad running VP with Idle DBR 
Set VP°s ITLE_ FLAG 
Place running VP in reedy state 


Schedule first elgible ready VP 
(call GETWORE) 


Unoce VET 
return 


Kad IDLE 


Sree ve Rea PT 

Sot VERZEMPT sets the preempt interrupt flag on 
umemeee1.1Cd yirtual processor. This forces the virtual 
processor into level-1 scheduling contention, even if it is 
meeaged with an Idle process. The instruction retrieves an 
idle virtual processor in the same way a hardware preempt 
Metrieves an idle CPU ty forcine the VP to be selected ty 
GETWORK. The only difference between the two cases is the 


mumeny point used in GETWORK. The action of SET_VPREEMPT is: 
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SET VPREEMFT Procedure (VP) 
Begin 
Set VF“s PREEMPT flag 
If VP belongs to another CPU Then 
send nardware interruot 
end if 
Petirn 
End Sit VEREEMPT 
Since the action is a safe Sequence, no 
Megevocks or race conditions will arise and no lock is 
required on the VFT. 
ioe tio. VPRESMPT 
Within the kernel of a multiprocessor System all 
process interrupts (which excludes system I/9 interrupts) 
mmpemmasked. If process interaction results in a virtual 
Mmeeempt being sent to the running virtual processor by 
another CPU, it will not be handled since GSTYCRE has 
Menmeacy been invoked. TEST VFREEMPT provides a virtual 
preempt interrupt unmasking mechanism. 
TEST VPREEMPT mimics the action of a4 physical 
CPJ when interrupts are unmasked. It forces the process 
execution point back down into the kernel each time the 
process attempts te leave the kernel domain, where the 


preempt flag of the running VP is examined. If the flag is 


ce 





Oetg [hot VPREEMPT returns and the execution point exits 
throuehn the Gatekeeper into tne supervisor domain of the 


process address space as described above. However, if the 


taj 


eer r flare is on, the TEST VPREEMPT executes a4 virtual 
Mmoercupt handler located in tne Traffic Controller. This 
Semmoet rom the inner Traffic Controller to the Traffic 
Controller (TC_PREEMPT AANDLER) is a close parallel to the 
mememomde or a CPi in résponse to a hardware interrunt, that is 
Seeyuiep to an interrupt handler. The Traffic Cortroller 
Preempt Fandler forces level-2 and level-i scheduline to 
proceed in the normal manner. The preempt handler forces the 
meertric Controller to examine tne APT and to appliv the 
Tevel-2 scheduling algorithm, TC GSTVORK. if the AFT nas 
peen changed since the last invocation of this schéculer, it 
Will be reflected in the scneduline selections. iventually, 
wnen the running VP’s vreempt flag is tested and found to te 
reset, TEST VPREEMFT will return to the Gatekeeper where the 
meocess Ex€cution point will finally make a normal exit into 
ios, supervisor domain. TEST VFREEMFT performs the following 


action: 
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TEST VFRESMFT Procedure 
Begin 
Do while running VP’s PREEMPT flag is set 
Feset FREEMPT flag 
Call preempt handler 
(call TC_PREEMPT HANDLER) 
Ynd do 
een nr 


End TEST VEREEMPT 


Meet rAFEFIC CONTROLLER 


The Traffic Controller runs in a virtual environment 
Greated by the Inner Traffic Controllér. It seés a set of 
Bmomine virtual processor instructions: SWAF_VYDER, IPL, 
Meee RE EMPT, and RUNNING VP, and provides 4 scheduler, 
TC _GETWORK, which [i Uelest emake) ers processes Oe Uma) 
Meee ssors in response to procéss interaction. ft also 
creates a level-2 instruction set: ADVANCE, AWAIT, and 
Mesos CLASS, which is available for use by higher levels 
Oe the design. The Traffic Controller uses a global data 
base, the ACTIVE PROCSSS TABLE to support its operation. 

1. Active Frocess Table (APT) 
The Active Frocess Tatle is a system-wide kernei 
database containing entries for each supervvisor process in 


SASS (Figure 15). It is indexed ty active process IT. 
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Active Process Table 
LOCKE 
RUNNING LIST PROCESS ID 


VP_ID 

READY LIST HSAD 

EVENTCOUAT 
FANDLE 


INSTANCE 
COUNT 


Dain ACCESS CLASS | STATE NEAT AP 














AP 
Index 


Fizure 15 


Mememestructure of the APT closely pérellels that of the 
Memtual Processor Table. It contains a LOCK to Support the 
implementation of a ftie | exclusion mechanism, a 
MeiNG LIST, and a R#BADY LIST_FEAD. The Traffic Controller 
Mmemmonivy concerned with virtual procéssors that can te loaded 
with supervisor processes. Since two VP°s are fermanently 
bound to kernel processes (the Memory Manager and the Idle 
Process), they cannot >be in contention fous level-2 
Semeduling;s the Traffic Controller iS unaware of their 
existence; since there are a number of availatle virtual 


processors, the #AUNNING LIST was implemented as an array 


miaexed by VF_ID. The READY LIST HEAD points to a FIFO queue 
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that includes both running and ready processes. The frunninege 
processes will be at the top of tne ready list. 

Fecause of their completely static nature, idle 
processes require no entries in tne APT. Logically, there is 
an idle process at the end of the ready list for each VF 
meermravlie to the Traffic Controller. If the ready list is 
empty, TC _GETVYORK loads one of these virtual idle 
meeesses by calling IDLE, and enters a reserved identifier, 
#IDLE, in the appropriate HUONG R lol went ny.) 2 fis 
Mmeomurticer is the only data concerning idle& processes that 
is contained in the BET. Idle process scheduling 
memerractTdtions are moved down to level-1, tecause the Inner 
Mmnearric Controller knows about physical processors. and can 
mmemize CPG use by scheduling idle processes only wnaen 
there is nothing else to do. 

Peemestmo ject access class, S CLASS, provides each 
process with a label that is required by level-3 modules to 
enforce, the SASS non-disScretionary security policy. 

ae bemel=—2 Scheduling 

Above the Traffic Controller, SASS appears as a 
moerection of processes in one of the three states: running, 
ready, or blocked. Running and ready states are analogous to 
mre correésponding virtual ovrocessor states of the Inner 


mratfic Comune liber. Fowever, because of the use of 





eventcount synchronization mechanisms ty the times fcc 
Controller, the blocked state has a slightly different 
connotation than the VP waiting state. 

Blocked processes are waiting for the occurrence of 
a non-sySter event, e.g-, the event occurrence ray de 
meearled from the supervisor domain. When &@ specific event 
happens, all of the blocked processes that were awaiting 
that event are awakened and placed in thé reéadv state. This 
broadcast feature of event occurrence is more powerful than 
the message passing mechanism of SIGNAL, which must te 
| directed at a Single recipient. 

Wie cmmolGwAL dnd WAIT provide virtual processor 
Meri plixine in level-1, the eventcount functions, ADVANCE 
Mma aAIT, control process scheduling in level-2. 

ape 2 O. CETVORK 

Level—2 scheduling is implemented in the 

Mepernia]) Traffic Controller procedure, TC CETWORK. This 
meecedure is invoked by eventcount functions when 4& process 
state change may have occurred. It loads the first ready 
process on the currently scheduled YP (i.e., the virtuél 
processor tnat has been scheduled at level-1 ane 1s 


Surrently executing on the CPU). 
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PemGceawORk Procedure 
beat 
VP_ID := RUNNING VP 
Do while not end of ready list 
if process is running then 
get next ready process 
else 
RINNING LIST [VP_ID] := PROCESS_ITI 
Process state := running 
SWAP VD5R 
emer 
end do 
If end of running list (no ready processes) Then 
RUNNING LIST := #IDL& ; 
IDLE 
end if 
Feturn : 


End TC_GETWORE 


Pee OUnGemme none Or TC “GEHTYORK 15 contained in 

Peooendix £. 
b. TC PREEMFT HANDLER 

PreCompommmtenrTuDplS are masked whiie &@ process 15 
executing in tne kernel domain. AS tne process leaves tne 
Meepmei, the gatekeeper unmasxs this virtual interrupt by 
invoking TEST VPREEMPT. ii tse eno t auculeon bests the SChedui ed 
Meco OREEMPT flag. If this flag is off, the process returns 
to the Gatekeeper and exits from the xernel; but if the flag 
is set, TEST VPREEMPT calls the Traffic Controller’s virtual 


Meeemot interrupt handler, TC PREEMPT FANDLER. This handler 





Memeeees TC GSIWORK, which re-evaluates level-2 scheduling. 
Eventually, when the schedulers have completed their 
Mmimerrons, the hancdlér will return control to tne preempted 
process, which will return to te Gatekeener for a normal 
mmm s Sequence of events closely parallels the action 
of a hardware interrunot, but in the environment of a virtual 
processor Eauwer than teeccU wens Virtualization of 
morerrupts provides the ebility for one virtual processor to 
interrupt execution of another that may, or may not, te 
[mmens on a CPU at tnat time. This is provided without 
memo uine the logical structure of the system. tis 
capability Por uCulamivemserul tn a multiprocessor 
environment where the target virtual processor may te 
Securing On another CPU. Because these interrupts will te 
virtualized, the operating syStem will retain control of the 
Mmmmeme tne action of the TC_PREEMPT HANDLER is descrited in 
meen procedure below. A Source listing iS contained in 


mompendix B. 





TC PREEMPT HANDL&R Procedure 
Berin 
Cal WAIT LOCK 
YP ID := RUNNING VP 
Process ID s= RUNNING LIST [VF_ID] 
If process is not idle Then 
Process state := ready 
emda it 
Call TC_G2TWORK 
Call WAIT UNLOCK 
STURN 
End TC PREEMPT HANDL=R 


ioe bOGeweand WALT UNLOCK provide an exclusion 
mechanism which prevents Simultaneous multiple use of the 
APT maeeaesMiltiprocessor configuration. This mechanism 
mavores WAIT and SIGNAL of the Inner Traffic Controller. 

c. Eventcounts 

An eventcount iS’a non-decreasing integer 
associated with a global object called an event [11]. The 
Event Manager, a level-3 module, controls access to event 
mere when required and provides the Traffic Controller with 
a HANDLE, an INSTANCE, and a COUNT. The values for all 
eventcounts (and seqvencers) are maintained at the Memory 
Manager level and are accessed by calls to the Merory 


manager. The HANDLE provides the traffic controller with an 
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event ID, associated with a particuler segment. INSTANCE is 
Sumore ) SDECific definition of the @vent. For example, each 
SASS supervisor segment has two eventcounts associated with 
mma INSTANCE 1 and a INSTANCE 2, that the supervisor uses 
keep track of read and write access to the sSeement [2]. 
Eventcounts Deore information concerning system-wide 
events. They are maninulated by the Traffic Controller 
functions ADVANCE and AWAIT anc by the Memory Manager 
functions, READ and TICKET. A proposed high level desien for 
ADVANCS and AWAIT is provided in Appendix C. 
a. Advance 

ATYANCS signals the occurrence of an event 
(e.g., a fTread access to a particular supervisor segment). 
Memvalte€ of tre evéentcount is the number of ATVANCE 
operations tnat nave been performed on it. when an event is 
advanced, the fact must be broadcast to all imine ed 
processes awaiting it and the process must be awakened and 
placed on the ready list. Some of the newly awakened 
processes may have a higher priority than some of the 
running processes. In this case a virtual preempt, 
SET VPREEMPT (VP_ID), must be sent to the virtuél processors 


loaded with tnese lower priority processes. 
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b. Await 
When a process desired to block itself until 
femme lar Cyent occurs, it invokes AWAIT. This procedure 
returns to the calling process when a Specified eventcount 
ieee acned. Its function is similar to WAIT. 
c. Read 
REAL returns the current value of the 
eventcount. This is an Event Manager (level three) function. 
This module calls the Memory Maneger module to ottain the 
eventcount value. 
a. Tieket 
iitoOuMmemomariaes cc comnlete timeé-ordering of 
possibly concurrent events. It uses a non-decreasineg 


mmperper, called a sequencer, which is also associated with 


tay 


each supervisor segment. AS witn R8SAD, this is an vent 
Manager function that calls tne Memory Manéger to access the 
sequencer value. Each invocation of TICKET increments the 
wealue of the sequencer and returns it to the caller. Two 
Gifferent uses of ticket will return two different values, 


meeresponding to the order in which the calls were made. 


Mee SISTEM INITIALIZATION 


Eecause the Inner fraffic Controller’s scheduler, 


GETWORK, can accommodate both normal calls and hardware 


10 0) 
O 





meeerrupt jumps, the problem of system initialization is not 
ieeericult. 

Hoetmeoshoo 15 first Started at level-1, the Idle VP is 
running and the memory manager VP, which has the highest 
priority, is the first ready virtual processor in the ready 
dist. All VP°s available to the Traffic Controller for 
level-2 schedling are ready. Their IDLE FLAG’s and PREEMFT 
flags are set. 

At level-2, all VPs are loaded with idle processes and 
all supervisor processes are ready. 

The kernel stack Segment of each process iS initialized 
mamappeacr 4s if it had be€n saved by a hardware Preempt 


interrupt (Figure 16). 
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ipibiati zed Stack 


Stack Segment 






ker stack ptr 


IRET FLAG 


ker FCW 


Figure 16 


stack base 


All CPU registers and the supervisor stack pointer are 
stored on the stack. Ri5 is reserved as the xernel stack 
Moet; nit contains the DBR. All other registers can be used 
to pass initial parameters to tne process. Tne order in 
which these registers appear on the stack supports the Z/ASM 
block-move instructions. 

The status block contains the current value of the stack 
pointer, R15, and the preempt interrupt return flag. This 


flag is set to indicate that the process has been saved by a 
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preempt interrupt. The first tnree items on the stack: the 
meoeess Entry point, the initial process flag control word, 
and an interrupt indentifier, are also initialized to 
Support the action of a hardware interrupt. 

To start-up the system, R14 (the DBR) is set to the Idle 
process DBRs the CPU Frogram counter is assigned the 
PREEMPT ENTRY point in GETWORK; the CPU Flag Control Word 
(FCW) is initialized for the kernel domain; and the CFU is 
started. Because the Idle VP is the lowest priority Veet 
the syStem, it will place itself back in the ready state and 
move the Memory Manager in the running state. The Memory 
Manager will execute an interrupt return because the 
interrupt return flag was set by system initialization. 
There will be no Work for this xernel process $0 it will 
mmmeeenitT to place itself in the waiting state. The next 
ready VP is idling, but since it’s IDILE_FIAG and PREEMPT 
flag are set, GETWORK will select it. It too will execute an 
interrupt return, but because its PRESMPT flag is set, it 
will call TC_PREEMPT_HANDLER. This will cause the first 
ready process to be scheduled. KEach time a supervisor 
mrocess blocks itsel?, the next idle VS will be selected and 
the sequence will be repeated. 

The action described above iS in accord with normal 


Meeration of the system. The only unique features of 





imitialization are the entry point (PREEMPT-ENTRI: in 
GETWORK) and the values in the initialized kernel stack. 

The implementation presented in this thesis has been run 
Sec ceows aevelopmental module. System initialization has 
been tested and executes correctly. At the current level of 
implementation, no process multipvlexing fnCc | 1 Onmeels 
available. There is no provision for unlocking the APT after 
meet ialized process has been loaded as 4 result, 4 call 
Mmotne Traffic Contorller (viz., ADVANCE or AWAIT). In a 
meoeess Multiplexed environment this would cause 42 system 
deadlock. Once the process left the kernel domair with a 
Mmeeneo AFT, nO process would be able to unlock it. The 
Meer ic)€6CController must handle this system initialization 


problem. 
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¥V. GONCLUSION 


The implementation presented in this thesis created a 
security kernel monitor that runs on the Zé¢ce LTevelopmental 
Module. Tnis monitor supports mrultiprogramming and precess 
management ina distributed operating system. The process 
executes in a multiple virtual processor environment wnich 
momindependent of the CFU configuration. 

This monitor was designed specifically to support the 
Secure archival Storasze System (SASS) (1, 2, 3]. Fowever, 
the implerentation is based on a family of Operating Systems 
[4] designed with a primary goal of oproviding multilevel 
Meererty Of information. Altnougen the monitor currently runs 
On a2 single microprocessor system, the implementation fully 


supports a multiprocessor design. 


A. RECOMMENDATIONS 


Fecause the Zilog MMU is not vet available for tne Z&¢@¢?¢ 
Beeiiopmental Module, it was necesary to simulate tne 
Seementation hardware. As explained in Chapter IV, this was 
accomplished by reserving a CrvU register, R14, as a 
Descriptor Base Register (DER) to provide a link to the 
loaded addresss space. When tne MMU becomes available, this 


Simulation must be removed. This can te done in two steps. 
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first, the addressing format must be translated to the 
segmented form. This requires no system redesign. 

Second, the switching mechanism most be modified to 
accomodated to use the MMU. This can be done by modifyine 
SoeeowAr DBR portion of GCETWORK to multiplex the MMU_IMAGE 
mato, the MMU hardware and thiS can be accomplished by 


changing about a dozen lines of the existing code. 


Bee rOLLOW ON WORK 


mmrrouchn tne monitor appears to execute correctly, it 
has not been rigorously tested. Before higher levels of the 
system are added, it is essential that the monitor te highly 
reliable. Therefcre a formal test and evaluation plan should 
be developed. 

An automated system generation and ice tled | Wziet 20n 
mechanism is also required if the monitor to be iS a useful 
rool ae the development of higher levels of the design. 

Once the monitor has been proven reliable and can be 
loaded easily, work on the implementation of the Memory 
Manager Kernel process and the remainder of the kernel can 


continue. 
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APPENDIX C 


ADVANCE Procedure (HANDLE, INSTANCE) 
Begin 
Call WAIT LOCK (APT) 
! wake up ! 
PROCESS s= EVENT LIST READ (HANDLE, INSTANCE) 
COUNT := MM_ADVANCE COUNT (HANDLE, INSTANCE) 
! make ready ! 
Do while not end of READY LIST 
If PROCESS.COUNT <= COUNT THEN 
Call MAKE READY 
end if 
end do 
f initialize vreempt array ! 
Do for VP_{[) = 1 TO #NR_VP 


RUNNING LIST [VP_ID] .PREEMPT s= #TRUE 
end do 


! find preempt candidates ! 

CANDIDATES := ¢ 

PROCESS := READY LIST HEAD 

Do (for VP_ID := 1 to #NR_VP) and not end READY_LIST 
If PROCESS = #RUNNING TREN 


RUNNING LIST [VP ID} .PREEMPT := #FALSE 
else 


CANDIDATE := CANDIDATE +1 
end if 


Get next ready process 
end do 
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{ preempt candidates ! 


Do for VF_ID := 1 to CANDIDATES 
If RUNNING_VP [VP_ID] = #TRUE Then 
Call SET_VPREEMPT (VP_ID) 
end if 
end do 


Call WAIT UNLOCK (APT) 


Return 


End ADVANCE 
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AWAIT Procedure (HANDLE, INSTANCE, COUNT) 
Begin 
Call WAIT LOCK (APT) 
VP_ID := RUNNING _VP 
PROCESS := RUNNING LIST (VP ID} 
CURRENT COUNT := MM READ COUNT (EANDLE, INSTANCE) 
If CURRENT COUNT < COUNT Then 
Call THREAD BLOCKED LIST (HANDLE, INSTANCE, PROCESS) 
PROCESS.RANDLE := HANDLE 
PROCESS. INSTANCE := INSTANCE 


PROCESS .COUNT := COUNT 
PROCESS .STATE s= #BLOCKED 


Call TC_GETWORK 
end if 


Return 


End AWAIT 
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